stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

preparation for ui re-shelling

Browse Source
This commit is contained in:
master
2026-02-18 23:03:07 +02:00
parent cb3e361fcf
commit c2f13fe588
46 changed files with 16727 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

548
docs/modules/ui/v2-rewire/pack-20.md Normal file
View File

@@ -0,0 +1,548 @@
## Pack 20 — Evidence & Audit consolidated around **who needs what evidence, when** (release/bundle/envcentric; preserves all PoC screens)
Below you get:
1. **Evidence menu graph (Mermaid)**
2. For **each screen**:
* **Formerly** (old name/location)
* **Why moved/reshaped**
* **Screen navigation graph (Mermaid)**
* **ASCII mock**
This pack covers the PoC evidence screens you showed:
* **Evidence Bundles** (`evidence bundles.png`)
* **Export Center** (`export.png`)
* **Replay/Verify (Verdict Replay)** (`reply verify.png`)
* **Packets / Proof Chains** (present in the left menu in earlier screenshots; you referenced them)
* **Trust & Signing** (`trust and signing .png`)
…and makes them decision-connected for **Release / Bundle / Env**.
---
# 20.1 Evidence & Audit menu graph (Mermaid)
```mermaid
flowchart TD
EVID[Evidence & Audit (ROOT)] --> HOME[Evidence Home]
EVID --> PACK[Evidence Packs]
EVID --> BUND[Evidence Bundles]
EVID --> EXP[Export Center]
EVID --> CHAIN[Proof Chains]
EVID --> VERIFY[Replay & Verify]
EVID --> TRUST[Trust & Signing]
EVID --> AUDIT[Audit Log]
%% Entry points from decision areas
REL[Releases] --> HOME
APPR[Approvals] --> HOME
RCENV[Env Detail] --> HOME
BVER[Bundle Version Detail] --> HOME
%% Cross-links
HOME --> EXP
BUND --> CHAIN
VERIFY --> CHAIN
TRUST --> CHAIN
EXP --> BUND
```
**Design rule:** Evidence is not “a folder of files.”
Its **a pipeline artifact** tied to:
* a **Release/Hotfix**,
* a **Bundle Version**,
* an **Environment Promotion Run**,
* and the **policy decision** that allowed/blocked it.
---
# 20.2 Evidence screen — Evidence Home (new “router” page)
### Formerly
* Evidence was scattered under **Evidence** section items: Packets, Proof Chains, Replay/Verify, Export, Bundles.
* No single “Im an auditor / Im an approver / Im an operator” entry point.
### Why changed like this
Evidence Home is the **entry router**:
* “Give me evidence for **Release X**
* “Give me evidence for **Bundle Version digest**
* “Give me evidence for **Env us-prod today**
* “Give me evidence for **Approval request A**
This reduces bounce across Export/Bundles/Proof Chains.
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Evidence Home] --> B[Search: Release / Bundle / Env / Approval / Digest]
A --> C[Quick tiles: Latest packs, latest bundles, failed verifies]
A --> D[Entry: Export Center]
A --> E[Entry: Evidence Bundles]
A --> F[Entry: Replay & Verify]
A --> G[Entry: Proof Chains]
A --> H[Entry: Trust & Signing]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ HOME │
│ Formerly: evidence functions scattered (Packets/Proof Chains/Export/Replay/Bundles) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Find evidence for: [ Release ▾ ] [ Bundle Version ▾ ] [ Environment ▾ ] [ Approval ▾ ] │
│ Or paste: digest / verdict-id / bundle-id │
│ [Search] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Quick views │
│ - Latest promotion evidence packs (24h) - Latest sealed bundles (7d) │
│ - Failed verification / replay (7d) - Expiring trust/certs (30d) │
│ │
│ Shortcuts: [Export Center] [Evidence Bundles] [Replay & Verify] [Proof Chains] [Trust & Signing]│
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 20.3 Evidence screen — Evidence Packs (formerly “Packets”)
### Formerly
* **Evidence → Packets** (left nav in earlier screenshots)
* Not shown as a main content screenshot, but it exists as PoC menu item.
### Why changed like this
“Pack” becomes the atomic evidence artifact tied to:
* a **promotion run**
* a **policy decision**
* a **bundle version**
* an **environment snapshot**
It should be the default evidence object used internally and optionally exported.
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Evidence Packs] --> B[Pack Detail]
A --> C[Filter: Release / Env / Bundle Version / Time]
A --> D[Open linked Approval / Run]
A --> E[Export pack -> Export Center]
B --> F[Proof Chain refs]
B --> G[Verify signatures -> Replay & Verify]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ EVIDENCE PACKS │
│ Formerly: Evidence ▸ Packets │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Release ▾ Env ▾ Bundle Version ▾ Status ▾ Time window ▾ │
│ Actions: [Export selected packs] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Packs │
│ pack-9001 Feb 18 08:33 env us-prod bundle Hotfix 1.2.4 status: sealed ✓ [Open] │
│ pack-9002 Feb 18 07:30 env us-uat bundle web-frontend v2 status: sealed ✓ [Open] │
│ pack-9003 Feb 17 08:30 env us-prod bundle worker v3.1.0 status: sealed ✓ [Open] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 20.4 Evidence screen — Pack Detail (new “case file” for a pack)
### Formerly
* Evidence details were spread across Export/Bundles/Replay.
### Why changed like this
One place to answer:
* What decision was made?
* Which bundle manifest/digests?
* Which SBOM/finding snapshot?
* Which signatures / proof chain refs?
* What can I export?
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Pack Detail] --> B[Decision summary (policy gates + approvals)]
A --> C[Artifacts list (SBOM, findings, attestations, provenance)]
A --> D[Proof chain refs]
A --> E[Verify / Replay]
A --> F[Export as bundle / attach to audit report]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE PACK DETAIL: pack-9001 │
│ Formerly: no unified pack “case file” │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Context │
│ Release: Hotfix 1.2.4 Env: us-prod Promotion Run: run-7712 │
│ Bundle manifest: sha256:beef... Created: Feb 18 08:33 by alice.johnson │
│ Decision: PASS policy gates 1/2 (Approval pending) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Included artifacts │
│ [✓] SBOM snapshot (SPDX) [✓] Findings snapshot (with reachability) │
│ [✓] Attestations (build) [✓] Provenance │
│ [✓] VEX statements [✓] Policy decision record │
│ [✓] Replay log / determinism result (if present) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Integrity │
│ DSSE envelope: present ✓ Rekor entry: present ✓ Proof chain: chain-9912 │
│ Actions: [Verify now] [Replay verdict] [Export as Audit Bundle] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 20.5 Evidence screen — Evidence Bundles
### Formerly
* **Evidence → Bundles** (`evidence bundles.png`)
“Download and verify sealed evidence bundles for audit and compliance.”
### Why changed like this
Keep the screen, but make “bundle” explicitly:
* a **compiled export artifact**, usually for external auditors
* built from **packs**
* and searchable by Release/Env/Approval.
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Evidence Bundles] --> B[Bundle Detail]
A --> C[Generate bundle -> Export Center]
A --> D[Verify bundle -> Replay & Verify]
B --> E[Proof chain refs]
B --> F[Download]
```
### ASCII mock (aligned to your current UI, but with better routing)
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ EVIDENCE BUNDLES │
│ Formerly: Evidence ▸ Bundles (evidence bundles.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Release ▾ Env ▾ Approval ▾ Status ▾ Time window ▾ │
│ Note: Bundles are compiled exports (from packs) for auditors / compliance teams. │
│ [Go to Export Center] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Bundles │
│ (none found) │
│ Example rows: │
│ bundle-2026-02-18-us-prod.zip sealed ✓ contains packs: 3 [Open] [Download] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 20.6 Evidence screen — Bundle Detail (new)
### Formerly
* Bundle list existed, but bundle “composition” was not surfaced as a primary view.
### Why changed like this
Auditors ask “what exactly is inside” and “can I verify it independently.”
Bundle Detail shows:
* included packs
* signatures (DSSE)
* transparency log references (Rekor)
* verification status
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Bundle Detail] --> B[Included packs list]
A --> C[Included artifacts inventory]
A --> D[Signatures / DSSE / certificates]
A --> E[Transparency log refs]
A --> F[Verify / Replay]
A --> G[Download]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE BUNDLE DETAIL: bundle-2026-02-18-us-prod.zip │
│ Formerly: not first-class; users downloaded without seeing composition │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Contents │
│ Packs: pack-9001, pack-9002, pack-9003 │
│ Includes: SBOM, Findings, Attestations, Provenance, VEX, Policy Decisions, Logs │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Integrity │
│ DSSE: present ✓ Rekor entry: present ✓ Cert chain: valid ✓ │
│ Verification status: VERIFIED │
│ Actions: [Verify bundle] [Open Proof Chain] [Download] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 20.7 Evidence screen — Export Center
### Formerly
* **Evidence → Export** (`export.png`)
“Configure export profiles and monitor export runs.”
### Why changed like this
Keep it intact, but:
* export profiles should be **release/bundle/env aware**
* add “Export Env Snapshot” and “Export Approval Decision Pack” as standard profiles
* export runs are auditable artifacts tied to proofs
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Export Center] --> B[Profiles]
A --> C[Export Runs]
B --> D[Profile Editor]
D --> E[Scope: Release / Bundle / Env / Approval]
D --> F[Destinations: S3/OCI/ZIP]
A --> G[Generated bundle -> Evidence Bundles]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ EXPORT CENTER │
│ Formerly: Evidence ▸ Export (export.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Profiles (standardized) │
│ - Approval Decision Pack (ZIP) scope: Approval ID → includes gates + findings + evidence │
│ - Env Snapshot Export (TAR.GZ) scope: Env + time → includes deploy+sbom+reachability+data │
│ - Audit Bundle (ZIP) scope: Release → full auditor bundle │
│ - Daily Compliance Export (TAR) scope: org-wide nightly report │
│ Actions: [Create Profile] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Export Runs │
│ run-8811 Feb 18 08:40 profile: Env Snapshot (us-prod) status: COMPLETED [Open bundle] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 20.8 Evidence screen — Proof Chains
### Formerly
* **Evidence → Proof Chains** (menu exists; you referenced proof chains repeatedly)
### Why changed like this
Proof chains must be:
* searchable by release/bundle/env/pack
* linked from every exported artifact and decision
* verifiable with a single click trail
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Proof Chains] --> B[Chain Detail]
A --> C[Filter by pack/bundle/release/env]
B --> D[Linked artifacts]
B --> E[Transparency log (Rekor) refs]
B --> F[Verify chain]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ PROOF CHAINS │
│ Formerly: Evidence ▸ Proof Chains (menu only in PoC) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Release ▾ Env ▾ Pack ▾ Bundle ▾ Status ▾ │
│ Chains │
│ chain-9912 linked: pack-9001 bundle-2026-02-18-us-prod status: VALID [Open] │
│ chain-9913 linked: pack-9002 status: VALID [Open] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 20.9 Evidence screen — Replay & Verify (Verdict Replay)
### Formerly
* **Evidence → Replay/Verify** (`reply verify.png`)
“Re-evaluate verdicts for determinism verification and audit trails.”
### Why changed like this
Keep the screen, but integrate it into audit flows:
* every pack/bundle can be replayed/verified from within its detail page
* the replay results are stored back into a pack (audit trail)
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Replay & Verify] --> B[Request Replay (verdict id / image ref)]
A --> C[Replay Requests list]
A --> D[Determinism overview]
A --> E[Open pack detail (source)]
A --> F[Write result into proof chain]
```
### ASCII mock (aligned to your current one, with clearer context)
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ REPLAY & VERIFY │
│ Formerly: Evidence ▸ Replay/Verify (reply verify.png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Request Replay │
│ Verdict ID / Image Ref: [ verdict-123 or registry.example.com/app:v1.2.3 ] │
│ Reason: [ audit verification / policy change test / determinism check ] │
│ [Request Replay] │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Replay Requests │
│ rr-001 api-service:v1.2.3 COMPLETED Feb 18 08:30 [Open Pack] │
│ rr-002 web-frontend:v2.0.0 RUNNING Feb 18 07:30 [Open Pack] │
├───────────────────────────────────────────────────────────────────────────────┬──────────────┤
│ Determinism Overview │ Notes │
│ total: 2 matching: 1 mismatches: 1 match rate: 50% │ mismatches │
│ │ block exports?│
└──────────────────────────────────────────────────────────────────────────────┴──────────────┘
```
---
# 20.10 Evidence screen — Trust & Signing
### Formerly
* **Settings → Trust & Signing** (`trust and signing .png`)
Contains: Signing Keys, Issuers, Certificates, Transparency Log, Trust Scoring, Audit Log.
### Why changed like this
This is **evidence infrastructure**, not general “settings”.
It should live under Evidence & Audit (root), with a pointer in Settings if needed, because:
* VEX verification depends on issuers/certs
* Rekor integration depends on transparency log configuration
* evidence packs/bundles must be verifiable independently
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Trust & Signing] --> B[Signing Keys]
A --> C[Issuers]
A --> D[Certificates]
A --> E[Transparency Log (Rekor)]
A --> F[Trust Scoring]
A --> G[Audit Log (trust events)]
A --> H[Link: VEX Hub issuer status]
```
### ASCII mock (your card layout preserved)
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ TRUST & SIGNING │
│ Formerly: Settings ▸ Trust & Signing (trust and signing .png) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Signing Keys Issuers Certificates │
│ [Manage Keys] [Manage Issuers] [Manage Certificates] │
│ │
│ Transparency Log Trust Scoring Audit Log │
│ [Configure Rekor] [Edit Score Config] [View Audit Log] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
# 20.11 Evidence screen — Audit Log (new consolidated view)
### Formerly
* Trust & Signing had its own audit log tile.
* Other audit events were likely scattered.
### Why changed like this
Auditors dont want separate “trust audit” vs “export audit” vs “approval audit.”
This creates a unified log with filters and links to artifacts.
### Screen graph (Mermaid)
```mermaid
flowchart TD
A[Audit Log] --> B[Filter: release/env/approval/user/type]
A --> C[Event detail with links: pack/bundle/proof chain]
A --> D[Export audit log slice -> Evidence export]
```
### ASCII mock
```text
┌──────────────────────────────────────────────────────────────────────────────────────────────┐
│ EVIDENCE & AUDIT ▸ AUDIT LOG │
│ Formerly: scattered audit signals (Trust & Signing / Export Runs / Approvals) │
├──────────────────────────────────────────────────────────────────────────────────────────────┤
│ Filters: Event type ▾ Release ▾ Env ▾ Approval ▾ User ▾ Time ▾ │
│ Events │
│ Feb 18 08:40 ExportRun created run-8811 profile Env Snapshot us-prod by admin [Open] │
│ Feb 18 08:33 Promotion decision PASS run-7712 pack-9001 by alice.johnson [Open] │
│ Feb 18 07:10 Trust: cert rotated issuer RegistryCA by admin [Open] │
└──────────────────────────────────────────────────────────────────────────────────────────────┘
```
---
## What this pack accomplishes
* Evidence now has a **clear chain**:
**Promotion/Decision → Pack → Bundle → Proof Chain → Verify/Replay**
with exports available at each step.
* **Trust & Signing** is treated as evidence infrastructure and tied to VEX issuer trust and proof verification.
* Everything is searchable by **Release / Bundle / Env / Approval**, which is what auditors and release managers actually ask for.
---
If you want the next pack, **Pack 21** can consolidate **Settings** into:
* **Release Control** (root already)
* **Org & Access**
* **Integrations**
* **Notifications**
* **Usage & Limits**
* **System Admin**
…and provide Mermaid+ASCII for each of those screens with “formerly/why” mapping.